Securing communication over public internet between two Linux endpoints can be performed in multiple ways via encryption at layer 3 or at layer 4/7. I'm using IPSEC wherever it is possible. This is layer 3/4 encryption (if NAT-T is performed).

With IPSEC there are two modes for phase 2 encapsulation: transport mode and ...

Here, I will generate a private key on the Juniper SRX firewall, then I will overwrite it with one that is generated in a linux system with Openssl. One thing that needs to be known is that private key on the ...

Post subject: PKI: How to import OpenSSL private key and public certificate in Juniper SRX

Posted: Fri Dec 12, 2014 10:07 am

PKI: How to import OpenSSL private key and public certificate in Juniper SRX

One of SSL/TLS key/certificate pair usages is for authenticating IPSEC peers. How does it work ?

Each IPsec VPN endpoint posesses a private key and a public certificate. The public certificate was born from a certificate signing request (refered to as "csr" by many people) generated from the public key containing a public modulus.

The Juniper SRX firwewall is performs an IKE Phase 1 identity validation based on the "remote-identity" set for the specific ike gateway.

If upgrading from 10.4 where by default a default identity is used or if the remote host isn't sending one and the SRX, under Junos 11.4, fails to bring up IKE phase 1 due to id validation failure, it can be changed to accept generic ike ID, bypassing IKE ID validation in the ...

Since there are not many scenarios when the HUB is behind NAT, I've created an article that describes situations when two spokes are behind NAT and only one has a static NAT.

Most of the hub-and-spoke ipsec VPN environments have the HUB configured with a public IP address, but sometimes the HUB is behind static NAT (all packets to a public IP address on the NAT device are forwarded to the Ipsec HUB SRX device ...

While researching on the Juniper SRX IPSEC VPN documentation and all the diverse scenarios, I noticed there is no documentation/kb article that describe the situation when one needs to connect two SRX spokes, two endpoints when both of them are behind NAT as in the above test diagram.